Gartner® Report: Innovation Insight for SBOMs

This in-depth report from Gartner explores how organizations can unlock the full value of SBOMs and greatly enhance software supply chain security, including:

• Integrating SBOMs into DevSecOps pipelines
• Tracking dependencies between open-source components in the software development lifecycle
• Generating SBOMs during the software build process rather than relying on pre-generated SBOM data
• Using SBOM data to continuously assess security and compliance risks – before and after deployment

Cyber-criminals today are increasingly targeting vulnerable open-source libraries in DevOps pipelines – as was the case in the infamous log4j incident. Software engineering teams often lack the tools, practices and standards to systematically discover and share details about vulnerable software packages across the organization.

Software bills of material (SBOMs) are a critical starting point for software supply chain security. According to Gartner, “SBOMs are an essential tool in your security and compliance toolbox. They help continuously verify software integrity and alert stakeholders to security vulnerabilities and policy violations.”

However, SBOMs alone are not enough. While SBOMs can tell you if a vulnerable library is being used in a piece of software, achieving software supply chain security at scale requires certain capabilities.